Bug 714597

Summary: ipa-client-install adds duplicate information to krb5.conf
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: low    
Version: 6.1CC: benl, dpal, jgalipea, nalin, nsoman, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.3-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second. Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging. Fix: Remove the unncessary values and sections. Result: A much cleaner and concise configuration file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:36:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 748554    

Description Marko Myllynen 2011-06-20 08:27:33 UTC 
Description of problem:
After running ipa-client-install on a RHEL 6.1 client, /etc/krb5.conf contains otherwise sane values but in the appdefaults/pam section it has the following entries:

ticket_lifetime
renew_lifetime
forwardable

These seem to be duplicating those values already defined in the libdefaults section. These values are also not present in the default /etc/krb5.conf provided by the recent krb5-libs packages.

It would seem best to add just debug/krb4_convert values to appdefaults/pam section.

Version-Release number of selected component (if applicable):
RHEL 6.1
Comment 2 Nalin Dahyabhai 2011-06-20 14:22:09 UTC 
The pam_krb5 module only overrides the [libdefaults] lifetime and forwardable settings if they're specified, so with rare exception, they shouldn't need to be set in the [appdefaults] "pam" section.

Any krb4-specific bits (this includes the "krb4_convert*" group of settings for the PAM module and the "default_domain" setting in the [realms] section) aren't used once the v4 compat bits are dropped starting with krb5 1.8, so we can probably just drop the lot of them.
Comment 3 Rob Crittenden 2011-06-20 16:11:10 UTC 
https://fedorahosted.org/freeipa/ticket/1358
Comment 4 Rob Crittenden 2011-06-29 13:40:29 UTC 
master: f05141e6468ce972b9c0d9707a4d640fe40da2b7

ipa-2-0: 17c2238f2ccf923906e91ae58abb19e867f499fc
Comment 7 Namita Soman 2011-10-10 19:00:14 UTC 
Verified using:
ipa-client-2.1.2-2.el6.x86_64

install updates /etc/krb5.conf to have its appdefaults section as below:
[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }


NeedInfo:
From comment #2, what are the other settings that are or are not expected to be in krb5.conf?

verifying using versions:
krb5-workstation-1.9-21.el6.x86_64
krb5-server-1.9-21.el6.x86_64
krb5-pkinit-openssl-1.9-21.el6.x86_64
krb5-libs-1.9-21.el6.x86_64
krb5-server-ldap-1.9-21.el6.x86_64
pam_krb5-2.3.11-8.el6.x86_64
Comment 8 Namita Soman 2011-10-10 19:08:01 UTC 
current krb5.conf after an install:
#File modified by ipa-client-install

[libdefaults]
  default_realm = TESTRELM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = TESTRELM
  testrelm = TESTRELM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }
Comment 9 Nalin Dahyabhai 2011-10-10 19:13:00 UTC 
You can refrain from adding the entire "pam" portion of the [appdefaults] section, as the module's default behavior is to not override any library settings unless it is told to do so, krb4 ticket conversion's not available because there's no krb4 library, and debug logging isn't enabled by default.  The rest looks alright.
Comment 10 Namita Soman 2011-10-10 19:54:54 UTC 
marking assigned based on comment #9
Comment 14 Rob Crittenden 2011-10-12 19:19:07 UTC 
Extraneous appdefaults section removed from krb5.conf in upstream:

master: 592bf621615b002c7945a9700aab0d5fc33cfe26

ipa-2-1: a065cfba0bda09ba3424f6ca85e9ce998f6af975
Comment 15 Namita Soman 2011-10-19 17:34:42 UTC 
Verified the appdefaults section is removed with ipa-client-2.1.3-2.el6.x86_64
Comment 16 Rob Crittenden 2011-10-31 20:16:49 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second.
Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging.
Fix: Remove the unncessary values and sections.
Result: A much cleaner and concise configuration file.
Comment 17 errata-xmlrpc 2011-12-06 18:36:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html